[xhr2] cross site non-GET requests and redirects from Jonas Sicking on 2007-07-23 (public-webapi@w3.org from July 2007)

From: Jonas Sicking <jonas@sicking.cc>
Date: Mon, 23 Jul 2007 03:37:31 -0700
To: Web APIs WG <public-webapi@w3.org>, Ian Hickson <ian@hixie.ch>
Message-ID: <46A484EB.1070604@sicking.cc>

Hi All,

I'm currently working on implementing cross-site XMLHttpRequest as 
detailed in this draft:

http://lists.w3.org/Archives/Public/public-webapi/2006Jun/0012

However I'm a little bit worried about two things regarding non-GET 
requests.

First of all I don't like that POST requests can be made unchecked to 
any url. I do realize that this seems possible already using plain/text 
encoded forms, but this is possibly something that browsers will need to 
change.

Second, I'm a little bit worried about the algorithm used to for non-GET 
(non-POST in the current draft) in connection with redirects. From my 
understanding the following is a valid scenario:

1. Web page on server A makes a DELETE request to server B
2. XHR implementation sends a GET request to server B
3. Server B redirects to server C
4. Server C sends reply that approves the request using appropriate
    headers and an "Allow: DELETE" header
5. XHR implementation sends DELETE request to server B
6. Server B deletes file on requested uri.

What worries me is that in step 5 the DELETE request is sent to server B 
even though server B has never explicitly allowed that. Granted, since 
the redirect chain for the DELETE request is not the same for the 
initial GET request as for the DELETE request, the returned result will 
not be accessible to the web page, but that hardly matters as the damage 
is already done.

The only thing server B has done is to redirect to server C. This could 
be done without any knowledge of XHR or the cross-site spec.

I propose we instead specify that the DELETE request should be done to 
the final uri of the redirects in the GET request. And if the DELETE 
request produces any redirects then those must not be honored.

Do other people have an opinion? In general it feels to me like 
redirects and non-GET requests cross site is a rare edge-case and not 
something that is particularly important. So we might as well do the 
safe thing. I could even see disallowing redirects entirely, even for 
the initial GET request.

Best Regards,
Jonas Sicking

Received on Monday, 23 July 2007 10:38:34 UTC